wiki:experiences:telmich
=>  Releases

Current version
Git/Latestdiff: 1.5.6

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

=>  Events

No events planned

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
wiki:experiences:telmich [2006/01/06 14:55] 217.14.64.50wiki:experiences:telmich [2006/05/02 13:40] (current) – external edit 127.0.0.1
Line 5: Line 5:
   * motivated developers   * motivated developers
   * small community (still)   * small community (still)
 +  * still unknown to many people out there
 +
 +====== TODO ======
 +
 +Things I want to achieve / do with RSBAC:
 +
 +  - Create a new user, who
 +    - may create, delete and modify other users (like a end user compatible user manager)
 +  - Understand and use PM (there is no "real" documentation!)
 +  - Create a new user, who can shutdown / reboot the system
 +  - use jails
 +  - use rsbac_mod for apache, as soon as vhosts are supported
 +  - test daemons, check whether they can run with rsbac
 +  - test cinit with RSBAC
  
 ====== common problems ====== ====== common problems ======
Line 187: Line 201:
 [[http://trusteddebian.org/Members/tsauter/rsbac-apache-rc.txt/view]] [[http://trusteddebian.org/Members/tsauter/rsbac-apache-rc.txt/view]]
  
-==== configuring apache2 (http server) ==== 
  
-  - Do apt-get install apache2 before 
-  - See what happens:<code> 
-dosinux# /usr/sbin/apache2 
-dosinux# dmesg  
-0000001236|rsbac_adf_request(): request READ, pid 3517, ppid 2735, prog_name apache2, 
-prog_file /usr/sbin/apache2, uid 0, target_type GROUP, tid 33, attr none, value none, result 
-NOT_GRANTED by RC ACL 
-0000001237|rsbac_adf_request(): request READ, pid 3518, ppid 3517, prog_name apache2, 
-prog_file /usr/sbin/apache2, uid 0, target_type GROUP, tid 33, attr none, value none, result 
-NOT_GRANTED by RC ACL 
-0000001238|rsbac_adf_request(): request CHANGE_OWNER, pid 3519, ppid 3518, prog_name 
-apache2, prog_file /usr/sbin/apache2, uid 0, target_type PROCESS, tid 3519, attr owner, 
-value 33, result NOT_GRANTED by AUTH 
-0000001239|rsbac_adf_request(): request CHANGE_OWNER, pid 3520, ppid 3518, prog_name 
-apache2, prog_file /usr/sbin/apache2, uid 0, target_type PROCESS, tid 3520, attr owner, 
-value 33, result NOT_GRANTED by AUTH 
-0000001240|rsbac_adf_request(): request CHANGE_OWNER, pid 3521, ppid 3518, prog_name apache2, prog_file /usr/sbin/apache2, uid 0, target_type PROCESS, tid 3521, attr owner, value 33, result NOT_GRANTED by AUTH 
-0000001241|rsbac_adf_request(): request CHANGE_OWNER, pid 3522, ppid 3518, prog_name apache2, prog_file /usr/sbin/apache2, uid 0, target_type PROCESS, tid 3522, attr owner, value 33, result NOT_GRANTED by AUTH 
-0000001242|rsbac_adf_request(): request CHANGE_OWNER, pid 3523, ppid 3518, prog_name apache2, prog_file /usr/sbin/apache2, uid 0, target_type PROCESS, tid 3523, attr owner, value 33, result NOT_GRANTED by AUTH 
-</code> 
  
 ==== configuring openvpn (vpn server) ==== ==== configuring openvpn (vpn server) ====
Line 407: Line 400:
  
 ==== creating a user/group administrator  ==== ==== creating a user/group administrator  ====
 +
 +===== dosinux.schottelius.org =====
 +
 +==== configuring apache2 (http server) ====
 +
 +  - Do apt-get install apache2 before
 +  - See what happens:<code>
 +dosinux# /usr/sbin/apache2
 +dosinux# dmesg 
 +0000001236|rsbac_adf_request(): request READ, pid 3517, ppid 2735, prog_name apache2,
 +prog_file /usr/sbin/apache2, uid 0, target_type GROUP, tid 33, attr none, value none, result
 +NOT_GRANTED by RC ACL
 +0000001237|rsbac_adf_request(): request READ, pid 3518, ppid 3517, prog_name apache2,
 +prog_file /usr/sbin/apache2, uid 0, target_type GROUP, tid 33, attr none, value none,
 +result NOT_GRANTED by RC ACL
 +0000001238|rsbac_adf_request(): request CHANGE_OWNER, pid 3519, ppid 3518, prog_name
 +apache2, prog_file /usr/sbin/apache2, uid 0, target_type PROCESS, tid 3519, attr owner,
 +value 33, result NOT_GRANTED by AUTH
 +0000001239|rsbac_adf_request(): request CHANGE_OWNER, pid 3520, ppid 3518, prog_name
 +apache2, prog_file /usr/sbin/apache2, uid 0, target_type PROCESS, tid 3520, attr owner,
 +value 33, result NOT_GRANTED by AUTH
 +0000001240|rsbac_adf_request(): request CHANGE_OWNER, pid 3521, ppid 3518, prog_name
 +apache2, prog_file /usr/sbin/apache2, uid 0, target_type PROCESS, tid 3521, attr owner,
 +value 33, result NOT_GRANTED by AUTH
 +0000001241|rsbac_adf_request(): request CHANGE_OWNER, pid 3522, ppid 3518, prog_name
 +apache2, prog_file /usr/sbin/apache2, uid 0, target_type PROCESS, tid 3522, attr owner,
 +value 33, result NOT_GRANTED by AUTH
 +0000001242|rsbac_adf_request(): request CHANGE_OWNER, pid 3523, ppid 3518, prog_name
 +apache2, prog_file /usr/sbin/apache2, uid 0, target_type PROCESS, tid 3523, attr owner,
 +value 33, result NOT_GRANTED by AUTH
 +</code>
 +  - Add the AUTH capability 33 (www-data), use rsbac_400 and rsbac_fd_menu /usr/sbin/apache2
 +  - TADA, it runs:<code>
 +dosinux# /usr/sbin/apache2 
 +dosinux# dmesg 
 +0000001243|rsbac_adf_request(): request READ, pid 3692, ppid 2718, prog_name apache2, prog_file /usr/sbin/apache2, uid 0, target_type GROUP, tid 33, attr none, value none, result NOT_GRANTED by RC ACL
 +0000001244|rsbac_adf_request(): request READ, pid 3693, ppid 3692, prog_name apache2, prog_file /usr/sbin/apache2, uid 0, target_type GROUP, tid 33, attr none, value none, result NOT_GRANTED by RC ACL
 +dosinux# ps axu | grep apache2
 +root      3693  0.8  0.9  16744  5436 ?        Ss   16:02   0:00 /usr/sbin/apache2
 +www-data  3694  0.0  0.9  16744  5456 ?        S    16:02   0:00 /usr/sbin/apache2
 +www-data  3695  0.0  0.9  16744  5456 ?        S    16:02   0:00 /usr/sbin/apache2
 +www-data  3696  0.0  0.9  16744  5456 ?        S    16:02   0:00 /usr/sbin/apache2
 +www-data  3697  0.0  0.9  16744  5456 ?        S    16:02   0:00 /usr/sbin/apache2
 +www-data  3698  0.0  0.9  16744  5456 ?        S    16:02   0:00 /usr/sbin/apache2
 +root      3701  0.0  0.0   1520   328 pts/0    R+   16:02   0:00 grep apache2
 +</code>
 +
 +===== Roles =====
 +
 +Roles should make life easier, currently they are just making my life more complicated. Let's see what we can do with them.
 +
 +==== creating a "user_manager" ====
 +
 +The first problem to solve with Roles is to create a user, which is able to
 +  - create
 +  - delete
 +  - and modify other users (like a end user compatible user manager)  
 +
 +
 +First of all, I create a user:
 +  - login as rsbac_400, do <code>rsbac_useradd -d /home/user/user_manager user_manager</code>
 +  - now do <code>rsbac_passwd -n user_manager</code>
 +  - login as root and do<code>
 +mkdir /home/user/user_manager
 +chown user_manager ~user_manager</code>
 +  - Now we successfully created a normal user.
 +  - TOBEDONE...
  
 ===== Backup ===== ===== Backup =====
//
wiki/experiences/telmich.1136559326.txt.gz · Last modified: 2006/05/02 13:40 (external edit)

wiki/experiences/telmich.1136559326.txt.gz · Last modified: 2006/05/02 13:40 (external edit)
This website is kindly hosted by m-privacy